I have a single-server HP iMC deployment up and running. Here’s the process:
- Install and Configure the Prereqs (SQL, IIS for redirect, etc).
- AD Bind User
- Web Server Certificate
- IIS for HTTP Redirection
- Install HP iMC.
- Configure a custom web server certificate.
- Integrate with LDAP and change the initial admin password.
- Redirect 80 & 443 to the actual web app’s ports.
Seems simple enough. Let’s get started!
Install and Configure the Prereqs
- Install SQL and the latest SP’s and CU’s.
- Enable Mixed-Mode and secure the SA account.
- Enable TCP/IP.
- Open SQL Server Management Studio -> right-click your db server -> properties.
- Click ‘Security’ then enable ‘SQL Server and Windows Authentication Mode’, then click OK to close the window.
- Next, expand the Security folder -> Logins.
- Right-click the ‘sa’ account and rename it to ‘sa-imc’ or something similar.
- Right-click the ‘sa-imc’ account and choose ‘Properties’.
- Change the sa account password.
- On the sa account properties page, click ‘status’ -> Enabled.
- Start -> Programs -> SQL Server 2008 -> Configuration Tools -> “SQL Configuration Manager”.
- SQL Server Network Configuration -> Protocols -> TCP/IP
- Enabled -> Yes
- IP Addresses -> 127.0.0.1 -> Enabled: Yes, OK to close the window.
- SQL Server Services -> SQL Server -> Right-click and ‘restart’.
AD Bind User
For this, you just need to create an account in AD for iMC to bind with. I recommend using a 64 character random password (at least). Also, I recommend limiting this account such that it cannot interactively login to workstations.
Once created, copy down the distinguishedName attribute. You’ll need this to configure AD integration in iMC.
Web Server Certificate
I wanted a PKI web server certificate for the HP iMC web app. That requires a couple things:
- Create a web server certificate template with an exportable key.
- Give the iMC server permission to enroll from that template.
- Deploy the template to one of your CA’s.
- Request the certificate
Creating and Deploying the Template
- On a CA, run ‘certtmpl.msc’ to open the Certificate Templates mmc snap-in.
- Right-click the ‘Web Server Certificate’ template then choose ‘Duplicate’.
- Choose ‘Windows Server 2003’ mode.
- Name the new certificate ‘HP iMC Web Server Certificate’.
- Under the ‘Request Handling’ tab, choose ‘Allow Private Key to be Exportable’. Also, I chose a key size of 2048.
- Under the ‘security’ tab, give the iMC computer account the following permissions: read, enroll.
- On your CA, run the ‘Certificate Authority’ snap-in -> Certificate Templates -> Add -> “HP iMC Web Server Certificate’.
Request the Certificate
- On your imc server, run ‘mmc’.
- Add the certificates snap-in targeted at the computer account.
- Navigate to the personal store, right-click -> Request New Certificate.
- Click next to select your AD policy, then check the box ‘HP iMC Web Server Certificate’
- Under the cert template we’re using, click Details -> Properties.
- Leave the ‘subject name’ box completely blank. Under ‘Alternative Subject Name’ add whatever DNS entries you’d like to use for this server.
- Under the ‘General’ tab, add a friendly name. It helps organize things quite a bit.
- Click OK, then next a couple times to request the cert. Congrats!
Exporting the Cert for use in iMC
HP iMC will not use the certificate by default, so you need to export the certificate with it’s private key. Later on in the process, we’ll convert the PKCS #12 key into a java keystore that HP iMC can accept.
- Open MMC -> Add the Certificates Snap-in, targeted at the computer account.
- Navigate to the Personal store.
- Right click the new Web Server Certificate -> Export.
- Export as a PKCS #12, and choose the box to export all certificates in the chain. I recommend using at least a 64 character password. Do NOT choose the box to delete the private key if the export is successful, or certificate will stop working.
- Save this file somewhere sensible, like C:\Build on the iMC server.
IIS for Redirection
I wanted to make the system easy for our network guys to access. To me, custom web application ports are difficult to remember — so I installed IIS to redirect all incoming traffic on 80 and 443 to the full https://fqdn:customPort location of iMC.
- Install the IIS role with only ‘HTTP Redirection’, logging, and anything else you feel that you need. You don’t need static content, ASP, etc.
- Open IIS Manager -> Default Site
- Right-click Default Site -> Bindings
- Edit the HTTPS binding and select the web server certificate that was requested earlier, then click OK to get back to IIS Manager.
- Click Default Site, then on the right-pane double-click “HTTP Redirection”.
- Check all three boxes, then for the target location enter:
- Click Save, then exit IIS manager.
- Disable UAC and restart. I haven’t been able to get HP iMC working properly with UAC enabled. It’ll install if you run a command prompt as admin, but won’t start properly.
- Nagivate to your install media directory and double-click ‘start-install.bat’.
- Follow the instructions, using ‘sa-imc’ and the sa password to connect the the SQL server. Everything should just work.
- iMC does not automatically start running on boot. To enable auto-load on boot, open the iMC Agent and check the box “Automatically start the services when the OS starts.” You can also start the service immediately if desired.
Convert and Install the Web Server Certificate
The iMC web server is called jserver, which is a java-based web server. It requires a java compatible keystore for certificates. Also, HP iMC can only use a key with the name ‘imc’. To get everything correct we need to convert your PFX file to a java keystore, clone the keychain with a new name, then remove the original keychain with the default name.
- Open a command prompt and navigate to C:\Program Files\Java\jre14\bin.
- Run the following command to convert the PFX certificate chain exported earlier to a java keystore. It will display an ‘alias’ that looks something like -LongGUID. You’ll need this alias name in the next step.
keytool.exe -importkeystore -srckeystore C:\build\hp-imc-webservercert-2012.pfx -destkeystore C:\build\keystore -srcstoretype pkcs12 -deststoretype JKS -storepass iMCV300R002 -v
- Run the following command to clone the long GUID name into the name ‘imc’ which the web application requires. For <GUID>, use the alias name given in the previous step.
keytool -keyclone -keystore c:\build\keystore -alias le-hpimcwebserver-03afd524-5d34-4fd0-a2f0-84b1b982afa6 -dest imc
- This last command will remove the original alias name from the keystore.
keytool -delete -keystore c:\build\keystore -alias le-hpimcwebserver-03afd524-5d34-4fd0-a2f0-84b1b982afa6
- Now, run the following commands to import the key:
net stop "HP iMC Server" ren "C:\Program Files\iMC\client\security\keystore" "C:\Program Files\iMC\client\security\keystore.orig.bak" copy /y "C:\build\keystore" "C:\Program Files\iMC\client\security\" net stop "HP iMC Server"
- To restart the web server, open the iMC Agent, find the ‘Process’ tab, then restart the ‘jserver.exe’ process.
Change the Admin Password Integrate with LDAP
- Navigate to http://localhost. IIS should redirect you to the full https://fqdn/imc and you should _not_ get a certificate warning.
- Login as admin\admin.
- Click System -> Operator Management -> Operator.
- For the account ‘admin’ click ‘Modify’.
- Change the password!
- Click System -> Operator Management -> Authentication Server.
- Fill out the LDAP server information, then click ‘OK’. Make sure to choose ‘Microsoft Active Directory’ for server type. For ‘Admin DN’, enter the distinguishedName of the Bind User created earlier.
Alright! All the basics are now done. Enjoy!